What is this “one-click billing fraud” (also “one-click fraud”) all about?

Contrary to the name, you need more than just one click to become a victim. This type of attack primarily targets users who want to view adult videos.

Users either go to video-sharing websites or adult blogs in order to watch adult videos online. Links to these sites are also spread via spam, blog comments, and social media. Once users stumble upon one-click fraud sites, users click around to explore the site.Eventually, users are asked to download a program in order to watch a certain video. In reality, however, either no video will be played on the user system, or just a few seconds of it. Instead, the user will be confronted by multiple windows that ask the user to click an item on the screen to view the video in its entirety.After this, they will reach a point where they can “download” the video. What ends up being downloaded is the main one-click fraud malware. These malware are often of the HTML/HTA (HTML Application), JS, and VBS file types, among other file types.. They are also detected by Trend Micro as HTAPORN or PORNY variants, among others.

Once on the system, the one-click fraud malware on user systems will display some sort of alarming, obnoxious, and impossible-to-ignore alert, such as the following:In earlier versions, it was impossible to close the windows. However, because this was recognized as a symptom of one-click fraud later versions no longer did this. These alerts will all say the same thing: demand that the user pay to see the adult video. The most common payment method offered is direct deposit to bank accounts.Amounts involved can be significant, but always only up to 100,000 yen (approximately 1300 US dollars). This might be because Japan banking rules do not allow transactions that go beyond 100,000 yen.

Has this threat evolved?

Traditionally, these kinds of threats were confined to the desktop. Last year, however, we first found these sorts of attacks hitting mobile platforms as well. When we encountered these attacks in late August, they did not require or use any sort of app: trying to view a video would lead to a website where the user would be told how to pay. At this time, billing fraud couldn’t use the sorts of tactics (pop-ups, annoying alerts, etc.) that was already known to desktop variants.

More recently, we have seen malicious apps be used as well. Just as in the desktop attack, these latest attacks now use malicious apps as well. This causes alerts to show up on the phone every five minutes, making the alerts much more annoying, increasing the possibility that users will pay up.

To make the attack even more convincing, the app also displays information about the user, and threatens to send it to a remote user if the victim does not pay the given amount.

How many users are affected by this attack? Where are they located?

One-click fraud is essentially unknown outside of Japan. Within Japan, however, it is frequent enough that government agencies keep track of cases that have been filed with their offices. Typically, around 400 new cases are reported every month. It is certain, however, that many other cases go unreported—users may be afraid of going to law enforcement.

It has been suggested that the reason these attacks work is because it succeeds so well in instilling shame and guilt, embarrassing users enough that they will be forced to pay.

Are there any other attacks like this in other countries? What are the differences between these attacks?

Conceptually, there are similarities between one-click fraud and scareware/FAKEAV attacks found elsewhere. In both cases, users are paying money to get something they want: “antivirus software” in the former, and pornography in the latter. Ransomware attacks are broadly similar as well, although that is more a situation of avoiding something highly undesirable (loss of data).

In addition, the tactics that one-click fraud uses are very similar to ZLOB/fake video codec attacks in the past. These attacks also entice victims with videos, but they will need to download a codec (which is the malware) in order to view them.

There are two key differences between one-click fraud and similar attacks. Firstly, the money involved is much higher: users are scammed out of up to 100,000 yen. Contrast this to scareware attacks, which often are priced below $100.

This first factor directly influences the second: it is highly unusual for this category of scams for the payment to be made via direct deposit. This may be attributed to the larger amount of money involved, as well as a desire to avoid automated fraud detection schemes.

What can users do to protect themselves?

In general, searching for pornography online will always raise the risk for users, because cybercriminals are keenly aware how many people are looking for it and plan their attacks accordingly. However, for one-click fraud, a key sign of trouble is the multiple hoops that the user must pass through before being able to download the “video”. If users encounter such a situation, they are strongly advised to proceed with caution.

Trend Micro blocks both the websites and files associated with these sort of attacks with Trend Micro™ Smart Protection Network™. Web Reputation Technology blocks malicious URLs before entering users’ systems, while File Reputation Technology checks the reputation of each file against an extensive database before permitting user access.

Users are also protected on their mobile phones with Trend Micro Mobile Security, a complete security solution for tmobile devices. Trend Micro Mobile Security is powered by the Trend Micro™ Smart Protection Network™.